Security modules distinguish reading of process state (via proc) from
full ptrace access using the access mode: PTRACE_MODE_{READ,ATTACH}.
Read access to /proc/pid/mem requires a full ptrace attach (for more
details, see: http://lwn.net/Articles/282930/).
Checkpoint needs access to full process state, including memory, so
we require PTRACE_MODE_ATTACH.
Signed-off-by: Oren Laadan <orenl@xxxxxxxxxxxxxxx>
---
checkpoint/checkpoint.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/checkpoint/checkpoint.c b/checkpoint/checkpoint.c
index 325dfa3..7b141e3 100644
--- a/checkpoint/checkpoint.c
+++ b/checkpoint/checkpoint.c
@@ -296,7 +296,7 @@ static int may_checkpoint_task(struct ckpt_ctx *ctx, struct task_struct *t)
return -EAGAIN;
}
- if (!ptrace_may_access(t, PTRACE_MODE_READ)) {
+ if (!ptrace_may_access(t, PTRACE_MODE_ATTACH)) {
__ckpt_write_err(ctx, "access to task %d (%s) denied",
task_pid_vnr(t), t->comm);
return -EPERM;
--
1.6.0.4
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
